Creatures of Habit: How Behavioral Analytics Can Deter Insider Threats

The day to day of life, the consistency of our routines helps us to stay sane in this world. We wake up go to work and perform our jobs to the best of our ability. We standardize our behaviors to be as efficient as possible. Sometimes we stray from this routine, but for the most part it is consistent. So when it comes to deterring insider threats, managers and administrators can sometimes forget that people are creatures of habit. As creatures of habit that means our behaviors can be tracked overtime for a baseline or “normal” behavior. Some people have been doing this for their day to day life, with their health, finances, searches, and many other areas.

Tracking, behavioral analytics has become a common practice in people’s personal lives. It helps provide them great insights. So imagine what insights analyzing behavior on your business’s network would provide. Whether you are working with a small team of 10 people or with 500,00 employees, the information generated on your network is providing valuable insights. These insights could be used to prevent data breaches or improve processes for productivity.

So let’s explore more about behavior analytics, the rise of ransomware insider threats, and case studies of how those threats could have been dettered.

User Behavior Analytics: Defined & Capabilities

Put simply, user behavioral analytics is the activity of tracking, collecting, and analysis of log data. The analysis of log data is often referred to as log monitoring or security information and event management (SIEM). It is that simple, but imagine trying to go through logs generated every second and gaining meaningful insights from them. It would drive you mad! Thankfully, there is SIEM software that exists to do this job for you.

SIEM software often identifies behavioral patterns, defines a user “normal” or baseline, and monitors for deviations from the baseline. SIEM does not usually take action on findings, but provides very actionable data for security teams. Technology recently has improved to a point where SIEM findings can be paired with automated actions. SIEM software can also track desktop and application activities. The most important aspect of behavior analytics is the ability to have very precise forensics when there is a security incident.

Much of the recent technology has been the result of incorporating machine learning with behavioral analytics. Day by day the merging of these two technologies is providing greater preventative measures for companies utilizing them. Insider threats are being deterred day by day because of behavioral analytics. The damage from insider incidents is increasing year after year, with 2017 seemingly being the most severe. With news of advances in crime such as ransomware-as-a-service and ransomware being developed for sabotage; the stakes have never been higher.

Insider Threats & Ransomware

What’s still the number one concern for security experts? Insider threats. What has become the recent cause of panic in the business world? You guessed right, ransomware. Paired together these two make devastating combination. As a reminder, insider threats are a security threat that comes from within an organization.

The “Insider” usually comes in the form of employees, managers, executive officers, and privileged third parties. Insiders cause different types of data breaches which can be categorized into spills, leaks, espionage, or outright sabotage. Insiders can act for malicious reasons or because of simple negligence. However it should be noted that incidents from malicious insiders has decreased over the years; which can be attributed to behavioral analytics.

Recent developments with ransomware have also sent shockwaves across the business world. WannaCry was a global strike that affected nearly 200,000 devices in multiple countries. Many of the machines got infected due to insider negligence, which then corrupted the networks of their businesses. The most notable breach was from the National Health Service (NHS) in the UK where the worst exploits of WannaCry revealed itself. WannaCry infected computers and forced a restart, after the restart all files were encrypted and could only be unlocked once the ransom was paid. How did the compromise start, well by an insider downloading an email attachment.

Shortly, after WannaCry, NotPetya swept the world. This time the intent was not the extortion of money, but just pure sabotage. NotPetya had caught some much larger victims and put operations to a halt for multinational companies, including FedEx. Recent reports confirm a similar case that NotPetya started as a result of credential theft at MeDoc and an email attachment.

More on these two cases will be explored, what is important to understand is that for both WannaCry and NotPetya an insider caused the ransomware to get into the organizations. Insiders plus ransomware equals financial catastrophe for organizations. Despite this what executives still fear the most are external threats actors. So very strong technical security solutions are being implemented, but the serious breaches keep happening. This is because the breaches are usually from negligent insiders, rather than the masked cyber criminal. So let’s explore some of the scenarios that these attacks happened under and see how behavioral analytics could have prevented it.

What Could Have Been: Case Studies

So far you likely have made the connection on how dangerous insider negligence has become and the ransomware they are inviting to their organizations. So in the cases above how would behavioral analytics prevented these. It is important to note behavioral analytics does is different than simply flagging a system event. It takes into account abnormal behavior from users. Machine learning integrated with user and system analysis provides a network with enhanced security and smarter detection of abnormal events.

UK National Health Service

According to reports, the National Health Service was disrupted when an employee opened downloaded an attachment from an email. From there WannaCry spread to sixteen locations and disrupted operations. People were advised not to seek medical care unless it was an emergency. So how could behavioral analytics have prevented this incident? When the user originally received an email from an unfamiliar source, behavioral analytics software would have detected this. Depending on if that was a normal event for that user it may or may not have been flagged as abnormal. From there software would have detected the downloaded file installing the WannaCry malware and could have produced an automated response to contain it. All of this would have happened within a matter of seconds and prevented the harmful impacts this event had on thousands of lives.

MeDoc and NotPeyta

One of the most devastating attacks in cyber security history seems to have originated from credential theft from a MeDoc employee. The impacts were then felt worldwide, to the point of catching the eye of NATO. Some staff from MeDoc have been arrested and they now face several lawsuits in the millions for damages. While a state actor is responsible, the attack served as a reminder that no one is safe from political conflict. How could behavioral analytics have prevented MeDoc from becoming the source of infection for thousands of companies across the world? The compromise of MeDoc’s systems came from the theft of an employee’s credentials. If MeDoc had a behavioral analytic system in place there would have been a baseline behavior for the employee whose credentials were stolen. When the cyber criminal tried to access the system they would have been locked out when their behavior became too alarming.

In both cases above, behavioral analytics could have prevented global damage from happening. Analysis of users and networks activity, using machine learning is becoming an ever increasing need for adequate cyber security. Finding these advanced security solutions is not a difficult task either. Some of the best solutions could be right in front you. Click below to learn more about Teramind.

Isaac Kohen started his career in quantitative finance developing complex trading algorithms for a major Wall Street hedge fund. During his tenure at Wall Street and his subsequent experience securing highly sensitive data for large multi-national conglomerates, he identified the market need for a comprehensive insider threat and data loss prevention solution. And so, Teramind was born. Isaac is a well-recognized thought leader in the security industry with many of his articles published in Forbes, Inc, Tripwire, and CSO Online. Read more industry thought leadership articles on Isaac's LinkedIn.